Bug#1095270: lightdm: /usr/share/xsessions/lightdm-autologin.desktop error in exec statement
Package: lightdm
Version: 1.32.0-6+b1
Severity: grave
Justification: user security hole
X-Debbugs-Cc: frax@axnet.nu
dist-upgrading Feb 5 2025 using autologin with lightdm with the attached config
in particular setting
autologin-session=lightdm-autologin
in /etc/lightdm/lightdm.conf
we get the following error:
Xsession: unable to launch "env AUTOLOGIN=yes /etc/X11/Xsession" X session ---
"env AUTOLOGIN=yes /etc/X11/Xsession" not found; falling back to default
due to the Exec-statement in /usr/share/xsessions/lightdm-autologin.desktop
Exec=env AUTOLOGIN=yes /etc/X11/Xsession
However, /etc/X11/Xsession will be launced anyway wich is a user security problem / hole
since AUTOLOGIN=yes is not set and the user will not know that it should take height
for the session being an AUTOLOGIN session, e.g. by immediately locking the screen
in case of unattended reboot / start-up, potentially leaving the session wide open
giving access to everybody having physical access to the computer.
The soloution would be as simple as fixing /usr/share/xsessions/lightdm-autologin.desktop
to actually exporting AUTOLOGIN=yes before launching /etc/X11/Xsession,
e.g. by an executable wrapper:
~~~ /etc/X11/Xsession-AUTOLOGIN ~~~
#!/bin/sh
AUTOLOGIN=yes
export AUTOLOGIN
exec /etc/X11/Xsession
~~~
Setting
Exec=/etc/X11/Xsession-AUTOLOGIN
in /usr/share/xsessions/lightdm-autologin.desktop
-- System Information:
Debian Release: trixie/sid
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.12.11-amd64 (SMP w/16 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=sv_SE.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages lightdm depends on:
ii adduser 3.137
ii dbus 1.16.0-1
ii debconf [debconf-2.0] 1.5.89
ii libaudit1 1:4.0.2-2+b1
ii libc6 2.40-6
ii libgcrypt20 1.11.0-7
ii libglib2.0-0t64 2.82.4-2
ii libpam-systemd [logind] 257.2-3
ii libpam0g 1.7.0-2
ii libxcb1 1.17.0-2+b1
ii libxdmcp6 1:1.1.5-1
ii lightdm-gtk-greeter [lightdm-greeter] 2.0.9-1
Versions of packages lightdm recommends:
ii xserver-xorg 1:7.7+24
Versions of packages lightdm suggests:
ii accountsservice 23.13.9-7
ii upower 1.90.7-1
ii xserver-xephyr 2:21.1.15-2
-- Configuration Files:
/etc/lightdm/lightdm.conf changed:
[LightDM]
[Seat:*]
greeter-hide-users=false
greeter-show-manual-login=false
greeter-show-remote-login=false
allow-user-switching=true
display-setup-script=/etc/lightdm/fraxdisplaysetup.sh
autologin-user=frax
autologin-user-timeout=0
autologin-session=lightdm-autologin
[XDMCPServer]
[VNCServer]
/etc/lightdm/users.conf changed:
[UserList]
minimum-uid=1366
hidden-users=nobody nobody4 noaccess
hidden-shells=/bin/false /usr/sbin/nologin
/etc/pam.d/lightdm changed:
auth requisite pam_nologin.so
session required pam_env.so readenv=1
session required pam_env.so readenv=1 envfile=/etc/default/locale
auth [success=1 default=ignore] pam_unix.so nullok try_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
-auth optional pam_gnome_keyring.so
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_limits.so
session required pam_loginuid.so
@include common-session
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
-session optional pam_gnome_keyring.so auto_start
@include common-password
-- debconf information:
* shared/default-x-display-manager: lightdm
lightdm/daemon_name: /usr/sbin/lightdm
Reply to: